The Victorian government has called on the federal government to add stricter controls to Australia's facial recognition database, such as privacy safeguards for the reporting of data misuse, and clarification on how non-government entities may access the service.
The Australian government in February introduced two Bills into the House of Representatives that would allow for the creation of a system to match photos against identities of citizens stored in various federal and state agencies: The Identity-matching Services Bill 2018 (IMS Bill) and the Australian Passports Amendment (Identity-matching Services) Bill 2018.
The first Bill authorises the Peter Dutton-led department to operate a central hub for communicating between agencies, while the second would allow for real-time crime fighting, according to Foreign Minister Julie Bishop.
The pair of Bills make good on an agreement reached at COAG in October to introduce a national system allowing for biometric matching.
In a submission [PDF] to the Parliamentary Joint Committee on Intelligence and Security currently reviewing the Bills, the Victorian government argued there should be an overarching authority that has transparency and oversight on the Face Identification Service (FIS), noting the IMS Bill lacks transparency on the privacy requirements of accessing authorities.
"We particularly note that aside from an Annual Reporting Cycle, there are no provisions in the IMS Bill to support timely reporting, including misuse of data or access breaches by users of the IMS itself," the submission penned by Special Minister of State Gavin Jennings reads.
"Given that the IMS may be used for surveillance purposes to support law enforcement, we recommend that appropriate security checks and balances be enshrined in the legislation to provide appropriate transparency to give users and the public confidence in the operation of the IMS."
Turning to models in place in the United Kingdom, Victoria said it considers the appointment of independent regulatory bodies such as the Office of the Biometrics Commissioner, the Investigatory Powers Commissioner, and the UK Surveillance Camera Commissioner "marks of good governance".
"Victoria recommends the Commonwealth consider similar constructs as well to support greater transparency in the oversight of the IMS," the submission continues.
"We note that while the IMS Bill provides a legal basis for the collection of 'identification information', significant policy issues may arise if citizens are not adequately informed about how information provided for provision of driver's licences may be re-used for other law enforcement purposes.
"This would include the retrieval of biometric details through one-to-many searches using the Facial Identification Service. Further consideration should be given to how such disclosure notifications could be implemented."
Also of concern to the state is the potential IMS access extended to local government authorities, and in particular, the private sector. The submission highlights there should be cause for concern that it isn't clear how local government authorities or non-government entities are going to be able to demonstrate compliance.
Pointing to the Intergovernmental Agreement on Identity Matching Services (IGA), the submission notes there are inconsistencies between that arrangement and the IMS Bill, despite Home Affairs last week in its submission saying it considers the privacy safeguards built in to the IMS Bill, as well as those contained in the IGA and administrative and policy arrangements supporting the services, as being "sufficient" in ensuring the services are used appropriately.
Victoria's submission also highlights that clause 5.5 of the IGA states the private sector "will not be given access" to FMS or the Identity Data Sharing Service, aside from the DVS; however the IMS Bill doesn't contain the same restriction.
Where local government authorities are concerned, Victoria believes extending them access to the IMS system goes beyond what was agreed upon in the IGA. Using VicRoads as its example, the submission explains the authority by which VicRoads is able to share information for the National Driver Licence Facial Recognition Solution is tied to the IGA.
"VicRoads may not be authorised to disclose information for the purpose of it being used in an identity-matching service by a local government authority," the submission explains.
Additionally, Victoria wants non-government entities to be subject to the same conditions that local government authorities are, and wants this more cohesively reflected in the Bill.
In its submission last week, Home Affairs argued that although it is not clear how often government agencies will use the FIS, a requirement to obtain a warrant would prevent agencies using the service "in many cases".
According to Home Affairs, the Bill is also not intended to regulate access to the face-matching services by other agencies.
"The department notes that the Bill is designed to facilitate access to information for certain purposes by agencies that have a lawful basis to do so under other legislation," it wrote.
"There are relatively few circumstances where law-enforcement agencies would need a warrant to obtain information needed to identify a person, or to verify a claimed identity.
"In addition, the governance arrangements for access to the services, particularly the FIS, have strict controls to ensure access is lawful and proportionate."